Glossary of KVKK Terms
Short, clear definitions of the terms commonly used in personal data protection.
Personal Data
Any information relating to an identified or identifiable natural person — including name, national ID, email, phone, location and IP address.
Special-Category Personal Data
Sensitive data such as race, ethnicity, health, religion, sexual life, biometric and genetic data. Subject to stricter conditions and extra safeguards.
Data Controller
The natural or legal person who determines the purposes and means of processing and is responsible for the data registry system.
Data Processor
A natural or legal person who processes personal data on behalf of the controller under its authority (e.g. cloud/service providers).
Data Subject
The natural person whose personal data is processed. KVKK rights belong to this person.
Processing
Any operation performed on personal data — from collection, recording and storage to transfer and destruction.
Explicit Consent
Consent that relates to a specific subject, is based on information and given by free will. Revocable; not every processing requires it.
Duty to Inform (Privacy Notice)
The controller's duty to inform the data subject — about its identity, purposes, transfers and rights — before processing. Distinct from explicit consent.
VERBİS
The Data Controllers Registry. The registration obligation depends on criteria like headcount, financial balance sheet and activity type.
Processing Inventory
A structured record showing which personal data is processed for which purpose and legal basis, with whom it's shared and for how long.
Retention & Destruction Policy
A policy defining retention periods and the rules for deleting, destroying or anonymizing data at the end of those periods.
Data Breach
Unauthorized access to, unlawful disclosure of, or loss of personal data. In certain cases it triggers notification to the Authority and data subjects.
Cross-Border Transfer
Transfer of personal data to parties abroad, subject to conditions such as adequacy decisions, appropriate safeguards or exceptions.
Anonymization
Rendering personal data unable to be linked to an identified or identifiable person, even when combined with other data.
Authority / Board (KVKK)
The Personal Data Protection Authority and its decision body, the Board; holds regulatory, audit and enforcement powers.
Contact Person
The person who handles communication with the Authority on behalf of a VERBİS-registered controller. Does not assume the controller's obligations.
GDPR
The EU General Data Protection Regulation. Shares similar principles with KVKK and may also cover organizations processing EU residents' data.
This content is for general information only; it does not constitute legal advice.